Your rights and privacy
This information is provided under the requirements of the General Data Protection Regulation and the Data Protection Act 2018. This shows you how personal data is processed by the National Disease Registration Service (NDRS).
Identity and contact details of the data controller
NHS Digital is the data controller for all information collected and processed as part of disease registration.
The data protection officer can be contacted on email@example.com.
Where does the information about me come from?
If you have been diagnosed with cancer, a rare disease or a congenital anomaly, the NHS team looking after you will record information about the care and treatment you receive. This information is shared with NDRS.
This applies to children as well as adults.
This information comes from many sources. See what data is collected here.
What data about me will be collected?
The NHS shares the following information with NDRS:
- your name and date of birth
- your gender and ethnicity
- your address and NHS number
- information about your diagnosis and treatment
We do not hold or have access to your mobile phone number or email address.
When is my data collected, and how long is it kept for?
We start collecting data as soon as you are being investigated for cancer, a rare disease or a congenital anomaly. We then follow your treatment for the rest of your life. We do this because we need to see if the disease comes back or if there are any side-effects from the treatment you receive.
It is important we hold data for at least the lifetime of the patient so that we can spot long term trends and carry out research. For example, some forms of cancer can be inherited. For those families with this genetic risk, long term monitoring is important.
NDRS and the law
The NDRS has legal permission to collect patient data to use it to protect the health of the population. Previously this permission was granted to Public Health England under section 251 of the National Health Services Act 2006.
From 1st October 2021, permission is now provided to NHS Digital. under legal instructions known as Directions, from the Secretary of State for Health and Social Care, under section 254 of the Health and Social Care Act 2012 (2012 Act). The Directions are called the National Disease Registries Directions 2021. They instruct NHS Digital to collect and use confidential patient information to operate the NDRS.
From 1st October 2021 NHS Digital is the controller of the personal data held by the NDRS under data protection law.
Under UK GDPR we can only collect and use personal data if we have a legal basis under Articles 6 and 9 of the UK GDPR.
Our legal basis to collect and use your personal data is:
- Article 6(1)(c) – legal obligation – as we are required to do this to operate the National Disease Registration Services under the National Disease Registries Directions 2021.
- Article 9(2)(g) – substantial public interest – because the processing of the data is substantially in the public interest and in accordance with the law, for the purposes of NHS Digital exercising its statutory functions under the National Disease Registries Directions 2021. It is substantially in the public interest to improve NHS cancer treatment and care, improve patient outcomes and to understand the prevalence of congenital anomalies and rare diseases in England and how these are affected by gender, ethnicity, disease type and geographic region. This is also permitted under paragraph 6 of Schedule 1 of the Data Protection Act 2018 (DPA).
NDRS and patient confidentiality
The National Disease Registries Directions 2021 provides NHS Digital with a legal obligation to process confidential patient information, setting aside the common law duty of confidence.
Where we disseminate confidential patient information, organisations requesting the data must have a legal basis under the common law to receive the information such as:
- evidence you have given them your explicit consent to the sharing of your data with them
- they have been granted specific legal approval from the Health Research Authority’s Confidentiality Advisory Group to use confidential patient information without your consent and who also have ethical approval to do so, or
- we have a legal obligation to share confidential patient information without consent, e.g. where there is a Court Order, or where this is necessary for public health purposes under Regulation 3 of Health Service (Control of Patient Information) Regulations 2002 (COPI), including under the COPI Notices issued by the Secretary of State for Health and Social Care in relation to COVID-19.
Everyone working with patient data is trained in information governance and follows strict rules to make sure patient information stays safe.
Find out more about how we keep data safe here.
Where is the data processed?
The data is never processed outside the UK and is always held safely and securely in England.
How is data shared?
We treat the data we hold with great care. Wherever possible, de-personalised data or anonymous data is used to protect patient confidentiality. We also apply the National Data Guardian’s Caldicott Principles to ensure we only provide the minimum amount of data necessary.
If data is shared with other organisations, strict rules must be followed. When we receive a request for data, we check that the data will be used appropriately for an important purpose.
Find out more about how data is shared here.
What are my rights in relation to the use of the personal data you hold about me?
Anyone can opt-out of disease registration at any time. It will not affect the care you receive from the NHS. Read more about opting-out here.
Can I see my own data?
If you would like to see what data we hold on you, you need to make a Subject Access Request (SAR) by emailing NDRSoptout@nhs.net.
First, we will verify your identity by asking for copies of your ID. Once the request is approved, we will send their information to their GP or clinical specialist. This makes sure that the information gets to you securely.
Where can I find out more?
If you want more information, you can contact our Data Protection Officer at firstname.lastname@example.org.
Webpage last updated: October 2021